Re: sandboxing untrusted code

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Jacob Champion <jacob.champion@enterprisedb.com>, Andres Freund <andres@anarazel.de>, Jeff Davis <pgsql@j-davis.com>, PostgreSQL-development <pgsql-hackers@postgresql.org>, Noah Misch <noah@leadboat.com>
Date: 2026-06-01T19:05:32Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> ... One of the worst things for a security system to do is be
> so annoying that users turn it off, and blocking stuff that a human
> will immediately identify as harmless is a quick route to that goal.

Right.  I'm reminded of SELinux, which in its early incarnations
was definitely in the category of "too annoying for normal users".
Red Hat spent literally years sanding down the rough edges, and
since then it's been on-by-default on just about every RH-based
machine, with few problems.  Don't underestimate the amount of
effort needed to get to that status.

I was only on the periphery of that work, but from what I recall,
the years of fine-tuning were less about the core mechanisms than
about developing a set of policies that didn't get in people's way.
The corresponding labor here would probably be refining our ideas
about which sets of functions to distinguish and making sure that
all the functions are correctly classified.

			regards, tom lane



Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Fix possible crash in tablesync worker.

  2. Display 'password_required' option for \dRs+ command.

  3. Restart the apply worker if the 'password_required' option is changed.

  4. Fix possible logical replication crash.

  5. Add new predefined role pg_create_subscription.

  6. Expand AclMode to 64 bits

  7. More cleanup of a2ab9c06ea.

  8. Respect permissions within logical replication.

  9. Improve table locking behavior in the face of current DDL.